nmap examples
nmap -v -sn -n 10.127.6-90.1-253 -oG - | awk '/Status: Down/{print $2}'
cat tartgets.txt
www.azen.site
192.168.1-10.1-254
172.16.0.*
10.0.0.0/8
nmap -iL targets.txt
Port Scan
- -sS : TCP SYN port scan (Default)
- -sT : TCP connect port scan
- -sA : TCP ACK port scan
- -sU : UDP port scan
- -Pn : Disable host discovery. Port scan only.
Ping Scan (Host Discovery)
- -sn : Disable port scanning. Host discovery only.
- -PS : TCP SYN discovery on port x. Port 80 by default.
- -PA : TCP ACK discovery on port x. Port 80 by default.
- -PU: UDP discovery on port x. Port 40125 by default
- -n : Never do DNS resolution
Port Specification
- -p 21-100 : Port range
- -p U:53,T:21-25,80 ~ Port scan multiple TCP and UDP ports
- -p- : Port scan all ports
Service Version Detection
- -sV : Attempts to determine the version of the service running on port
- -A : Enables OS detection, version detection, script scanning, and traceroute
OS Detection
- -O : Remote OS detection using TCP/IP
stack fingerprinting - -A : Enables OS detection, version detection, script scanning, and traceroute
Timing and Performance
- -T0 : Paranoid
- -T1 : Sneaky
- -T2 : Polite
- -T3 : Normal
- -T4 : Aggressive
- -T5 : Insane
NSE Scripts
- -sC : Scan with default NSE scripts. Considered useful for discovery and safe.
- –script=banner : Scan with a single script. Example banner.
- –script=http* : Scan with a wildcard. Example http.
- –script snmp-sysdescr --script-args snmpcommunity=admin 192.168.1.1 : NSE script with arguments
Useful NSE Script Examples
- nmap -Pn --script=dns-brute domain.com
- nmap -p80 --script http-sql-injection domain.com
Firewall / IDS Evasion and Spoofing
- -f : nmap 192.168.1.1 -f ~ Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters
- –mtu : nmap 192.168.1.1 --mtu 32 ~ Set your own offset size
- -D : nmap -D 192.168.1.101,192.168.1.102,
192.168.1.103,192.168.1.23 192.168.1.1 ~ Send scans from spoofed IPs - -D : nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip ~ Above example explained
- -g : nmap -g 53 192.168.1.1 ~ Use given source port number
- –proxies : nmap --proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1 ~ Relay connections through HTTP/SOCKS4 proxies
- –data-length : nmap --data-length 200 192.168.1.1 ~ Appends random data to sent packets
Output
- -oN : Normal output to the file normal.file
- -oX : XML output to the file xml.file
- -oG : Grepable output to the file grep.file
- -oA : Output in the three major formats at once
- -oG - : Grepable output to screen. -oN -, -oX - also usable
- –append-output : Append a scan to a previous scan file
- -v : Increase the verbosity level (use -vv or more for greater effect)
- -d : Increase debugging level (use -dd or more for greater effect)
- –open : Only show open (or possibly open) ports
- –packet-trace : Show all packets sent and received
- –iflist : Shows the host interfaces and routes
- –resume : Resume a scan